Re: Global PKI on DNS?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> At 11:58 AM -0400 6/25/02, Keith Moore wrote:
> >  > We seem to agree that the DNS could be sued to distribute certs, so
> >>  the question is what should the certs attest to and who should issue
> >>  them. I argue that we need certs that support validation of DNS
> >>  bindings,  and that the only authoritative sources for that info are
> >>  the folks who manage the DNS.
> >
> >and there is no assurance that they're trustworthy.
> 
> since trustworthiness is a relative term, that can always be said 
> about any CA.  that's why I don't like dealing with CAs based on 
> trust. authoritativeness is a quality that is less contentious in 
> many contexts, including this one.

the question is why IETF should endorse the idea of TLDs (or other
zones) being CAs when that is not needed to authenticate the RRs for 
which the zones are responsible.  

> and a DNS-based PKI would not require anyone to trust it. 

no, but IETF would be blessing the idea of TLDs becoming CAs when 
this is not necessary for them to serve their function, and then 
saying on the other hand "of course it's your choice about whether 
to trust them".  it reminds me of the "voluntary" income-tax 
collection system we have in the US.

> you fear that people would decide to rely on this new aspect of the 
> infrastructure and you think that, because of the specific 
> organizations operating some TLDs, that this would be a bad choice. 

no, it's not *because* of the specific organizations.  however
specific organizations have demonstrated that TLDs are not necessarily
trustworthy.  

or to put it another way, the trustworthiness of the DNS system as 
a whole is maximized if the shared zones (those that are not delegated 
to a single private individual or organization) are not given more 
responsibility or authority than absolutely necessary.

Keith


[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]